I have 2 applications.
If I use service, I can set permission so only app1 can send intent to app2:
Define permission in app2 (protection level: signature), and
use that permission in app1.
Service in app2 is protected by that permission.
In this way, only app1 can send an intent to a service on app2,
and no other app (unless my signature is leaked) can send intent to
service on app2.
Can I do the same with Broadcast Receiver?
- app1: sendBroadcast(intent, permission)
- app2: define permission, use that permission.
To my understanding for using sendBroadcast(intent, permission), the
application doesn't need to "use" the permission. Meaning ANY application
can send intent to app2. Those permission parameters only checked against
app2, to avoid other applications to receive this intent.
(If I remove app2, and install fake app2 with the same permission string
defined, fake app2 can get intent from app1, which is unexpected)
BTW, If application define the permission and use it itself, the
protectionLevel(signature) seems to have no meaning. Is this true?
Now, I can set additional permission:
- app1: Define permission, use that permission.
- app2: Receiver restricted only for that permission.
Again, if one removes app1, installs fake app1 with the very same
permission, then fake app1 can send fake intent to app2.
What can I do to prevent app2 from receiving fake intent?
Thanks
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
